Docs / Changelog
Changelog
1.4.1 Latest
- Fixed: successful logins and logouts were logged with the acting user recorded as "Guest" — WordPress fires
wp_login/wp_logoutbefore it considers that user "current" for the request, so the log now records the user WordPress itself passes to those hooks instead of relying onget_current_user_id(). - Fixed: user-deletion events always logged an empty username, because
deleted_userfires after the user row is already gone from the database; the log now uses theWP_Userobject core passes directly to that hook. - Fixed: the REST API endpoint (
/wp-json/reslab-al/v1/events) triggered a_doing_it_wrong()notice when called with no filters active. - Fixed: inconsistent internal whitespace in the log table's schema definition made
dbDelta()reissue a full set ofALTER TABLEstatements on every version-gated upgrade check, even when nothing had actually changed — harmless but unnecessary, and avoidable table-lock overhead on a large log. - Added:
reslab_al_default_rolesfilter — controls which roles are granted the plugin's capabilities on activation/upgrade (previously administrator-only, hardcoded). - Changed: the internal schema-upgrade lock now uses an atomic
add_option()instead of aget_transient()/set_transient()pair, closing a race window under concurrent requests.
1.4.0
- Added: Mass Deletion Alerts — a second, independent anomaly check (off by default) that catches one user deleting an unusual number of objects in a short window.
- Added: optional webhook URL — brute-force and mass-deletion alerts are POSTed as JSON alongside the existing email, for Slack/Discord/Zapier/Make/n8n integrations. New
reslab_al_alert_{$type}action hook for custom integrations. - Added: "Archive before purge" — optionally save a gzip CSV snapshot of entries before the nightly purge deletes them, downloadable from Settings (nonce + capability gated, not a direct/public URL).
- Added: read-only REST API (
GET /wp-json/reslab-al/v1/events), authenticated via WordPress Application Passwords, for external monitoring/SIEM tools. Supports the same filters as the admin screen.
1.3.0
- Added: events fired within the same request are now grouped into a single row in the log (with the rest listed in the expandable details) instead of producing several near-duplicate rows for one editorial save.
- Added: "last ran X ago" status under Data Retention and Brute-Force Alerts in Settings, to confirm those WP-Cron jobs are actually executing.
- Added: free-text search across event details (product/post titles, usernames, option names, coupon codes, etc.).
- Added: the
reslab_al_viewable_object_typesfilter is now implemented, letting you restrict which event types a role/user can see in the log and CSV export. - Schema change: new
request_idcolumn (+ index); migrates automatically viadbDelta()on upgrade, no manual action needed.
1.2.0
- Fixed: WooCommerce order transitions were logged twice — once correctly as an "order" event, once again as a generic "post" event mislabeled
(deleted)(orders under HPOS don't live inwp_posts). The generic tracker now leaves WooCommerce order/refund post types alone entirely; order deletion is tracked separately viawoocommerce_delete_order. - Fixed: the "order" object link now resolves through
wc_get_order()->get_edit_order_url(), which works correctly for both HPOS and legacy post-based orders (the old link pointed atpost.php?post=, which 404s under HPOS). - Fixed:
auto-draftpost-status transitions (WordPress reserving a post ID before the editor even opens) no longer create astatus_changed_to_auto-draftlog entry. - Changed: "Anonymize IP addresses" is now enabled by default on new/unconfigured installs, for GDPR compliance out of the box.
- Changed: brute-force email alerts are now opt-in — a new "Enable brute-force alerts" checkbox (disabled by default) gates the hourly check; the threshold/window settings only take effect once it's turned on.
1.1.0
- Security: fixed a CSV/Formula injection vector in the "Export CSV" action — fields starting with
=,+,-or@are now neutralised. - Renamed the database table from
{prefix}activity_logto{prefix}reslab_activity_logto avoid collisions with other logging plugins; existing data is migrated automatically viaRENAME TABLEon upgrade. - Added a composite index on
(action, created_at)to speed up the brute-force detection query on large logs. - CSV export now streams results in batches instead of loading the entire (filtered) log into memory.
- Log purge now caps the number of batches processed per WP-Cron run and reschedules itself to finish large retention-period drops instead of risking a request timeout.
- Added a dedicated
reslab_al_manage_settingscapability for the Settings page, replacing the hardcodedmanage_optionscheck, for consistency withreslab_al_view_log/reslab_al_clear_log. - The table-version check on
plugins_loadedno longer re-runsdbDelta()on every front-end request while a mismatch persists; it is now throttled with a short-lived lock.
1.0.0
- Initial release.
- Tracks authentication, content, users, plugins, themes, settings, and navigation menus.
- WooCommerce integration: order status, product meta, coupons, refunds.
- Polylang integration: language assignments.
- Brute-force email alert via hourly WP-Cron.
- CSV export with active filter support.
- GDPR features: IP anonymisation, configurable retention period, email hashing.
- Custom capabilities
reslab_al_view_logandreslab_al_clear_log. - Full
uninstall.phpfor clean removal.